Hi all.  I'm wondering how to read some of these log entries I see on the IOS 15.2 router I'm working with.  I'm fairly new to this stuff.  My understanding is that the first socket (123.123.123.123:port#) is the originating one, and the 2nd socket is the receiving or destination.  This makes sense when I see an entry like:

01043: *Nov 21 2012 10:28:34.323 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.241.163:39557 192.168.xx.xx:80  due to  RST inside current window with ip ident 0

The internal IP is our email server inside the LAN, the first IP is some IP in a foreign country, so someobody visited our web interface for the email server, obviously trying to breach or recon the interface but whatever. 

Then I see an (unrelated) entry like this elsewhere in the logs:

001095: *Nov 21 2012 25:56:03.531 PCTime: %FW-6-DROP_PKT: Dropping tcp session xx.xx.178.210:25 192.168.xx.xx:47343 on zone-pair inside-outside class INSIDE-OUTSIDE due to  Stray Segment with ip ident 0

What this latter entry tells me is that the Internet host sent data FROM port 25 to what I am guessing is the open port our internal email server must have originated some other communication from.  However we do not accept incoming port 25 mail from anywhere but a designated IP so this "send" is not supposed ot occur. 

So first off, am I reading that correctly?  Is the first IP the sending system, and the second IP the receiver? 

Oddly, there are no other entries in the logs between these two hosts, so either the logs have truncated with oldest entries removed (log buffer is set to 51200), or that outside host is sencding, hoping to get our meil server torespond?  BTW, the outside host WHOIS's to Microsoft's IP range, Block 1. 

So, main question is how to read these log lines but also any other comments are welcome. 

Thank you.